How Secure are Open APIs?

On 26th November, we’re giving financial services organizations the opportunity to put their API security questions to our experts. In the meantime, our two-part open API series puts the crux of the challenges facing banks, FinTechs and aggregators into context.

In part one we covered the basics; what is an open API and what are the associated benefits? In part two we explore how open APIs will affect the financial services industry; what are the security implications of connecting two businesses via third-party technology?

Why are open APIs vulnerable to attack?

As discussed in part one, in the open banking infrastructure APIs sit between the payment service provider (PSP) and third-party provider (TPP). The API makes it possible for data to be shared between the two organizations.

The API, therefore, sits at a crucial point in the shared infrastructure between the PSP and TPP. If the API is attacked, both connected parties are vulnerable.

It’s vital to remember that threat actors are always seeking the easiest point of entry; which makes APIs an extremely attractive target. After all, APIs can’t detect, prevent or respond to automated attacks. They are open by design, and therefore attacks against API endpoints can be less complex than those targeting websites and mobile applications.

If an API is exposed, bots can be used to takeover accounts, scrape data and prevent the API from running properly.

Who is responsible for maintaining API security?

PSPs and TPPs alike are responsible for ensuring a resilient API environment. As such, PSD2 and the UK’s open banking legislation restrict API access to regulated TPPs that have been subject to extensive verification of their security, operational governance and risk management controls. But that doesn’t automatically mean PSPs are 100% safe from attack.

James Maude, Head of Threat Research at Netacea said:

“APIs can extend the ways in which an attacker will attempt to gain entry – through the TPP, mobile applications, or access to the API directly

“The problem for banks is that, even if they take every precaution to make sure that the API is secure, there are ways to attack it that are out of their control. A hacker with access to a TPP’s system could use it to scrape personal details, but it doesn’t have to be quite so direct. An improperly secured and poorly designed third-party app configured to share the bank’s data is a direct link to an API that can be exploited in a “supply chain” attack – in which instance, automated attacks that test credentials and card details and commit fraud to become possible.”

Securing your open APIs

Creating a resilient API environment is critical to protecting your financial services organization, customers and any connected TPPs, starting with securing the API’s three points of vulnerability with the appropriate mitigation methods:

At Netacea, we take a revolutionary approach to bot management, applying a single solution with innovative coverage across all API points of vulnerability. We monitor all site visits to a specified path and analyze them in context relative to each of the visitors to the enterprise estate. This enables us to understand not just whether a user is a human or bot, but whether a user has good or bad intent. To find out how we can help you stop malicious bots, talk to our team today.

Did you miss our Beyond Open Banking event? If you’re in financial services and would like to learn more about API security from our CTO Andy Still and Head of Threat Research James Maude, you can catch up on the evening’s highlights here:
Beyond Open Banking: Event Recap.